(Zero Hedge)—In a shocking cyber security incident that should terrify every American, a top security researcher has revealed how he gained “unfettered access” to a major carmaker’s dealership portal – potentially allowing hackers to remotely hijack any customer vehicle from anywhere in the world.
Eaton Zveare, a security researcher at software delivery company Harness, made the alarming disclosure to TechCrunch, explaining how the devastating flaw could have enabled cybercriminals to access victims’ personal and financial data, track their vehicles in real-time, and even seize complete control of vehicles from any location globally.
While Zveare refused to name the vulnerable automaker, he confirmed it’s a popular car company operating multiple brands under its corporate umbrella, meaning millions of Americans could have been at risk.
TechCrunch reports:
Zveare, who has found bugs in carmakers’ customer systems and vehicle management systems before, found the flaw earlier this year as part of a weekend project, he told TechCrunch.
He said while the security flaws in the portal’s login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new “national admin” account.
The flaws were problematic because the buggy code loaded in the user’s browser when opening the portal’s login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks.
“No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads,” Zveare told the news outlet in his explosive interview.
The researcher demonstrated the hack’s terrifying potential, explaining: “For my purposes, I just got a friend who consented to me taking over their car, and I ran with that. But [the portal] could basically do that to anyone just by knowing their name — which kind-of freaks me out a bit — or I could just look up a car in the parking lots.”
“They’re just security nightmares waiting to happen,” he added, highlighting the industry-wide vulnerabilities that could leave American families exposed to cyber attacks.
Fortunately, the carmaker acted swiftly after being notified, with Zveare confirming that the critical vulnerabilities were patched within one week in February 2025.
“The takeaway is that only two simple API vulnerabilities blasted the doors open, and it’s always related to authentication,” said Zveare. “If you’re going to get those wrong, then everything just falls down.”
The revelation underscores the growing threat of cyber warfare targeting America’s critical infrastructure, raising serious questions about whether our automotive industry is doing enough to protect Americans from hackers.
